How to Analyze a Suspicious URL
Analyzing a URL means breaking it down and testing each signal instead of trusting how it looks. A link can read like paypal.com at a glance and still belong to an attacker. The good news: you can analyze a suspicious URL — read its structure, find the real owner, and test its reputation — without ever visiting the page. This guide walks through the anatomy of a URL and a repeatable process for inspecting any link.
Analyze a URL now
Paste any link and let the analyzer break it down — domain, redirects, reputation, and content. Free, unlimited, no signup.
Anatomy of a URL: how to read it
Almost every URL trick works by getting you to read the wrong part of the link. Before you can analyze a suspicious URL, you need to know which piece actually identifies its owner. A link breaks into five parts:
- Scheme —
https://orhttp://. HTTPS only means the connection is encrypted; it says nothing about who is on the other end. Attackers use HTTPS too. - Subdomain — anything before the registrable domain, like
login.orsecure.. The owner can put any text here, including a trusted brand name. - Registrable domain — the real owner of the link: the label immediately before the first single slash, together with its TLD (for example
example.com). This is the piece that matters most. - Path — everything after the domain, like
/loginor/verify/account. The path is fully controlled by the site owner and can say anything. - Query — the part after
?, like?id=123&ref=email. Useful context, but also fully attacker-controlled.
The single most important rule: read the hostname from right to left and stop at the first single slash. The registrable domain is the label just before that slash. Compare these three links:
https://paypal.com/login— registrable domain ispaypal.com. Real PayPal.https://paypal.login.attacker.top/verify— registrable domain isattacker.top. Thepaypal.loginpart is just a subdomain the attacker owns; this is not PayPal.https://login-paypal.com— registrable domain islogin-paypal.com, a look-alike domain someone registered to impersonate the brand. Again, not PayPal.
Same brand name, three completely different owners. Once you can spot the registrable domain, most phishing links give themselves away.
How to analyze a suspicious URL step by step
Here is a repeatable process you can run on any link you don’t trust:
- Don’t click. Copy the full link instead — right-click and choose “Copy link address”, or long-press on mobile. Everything else you can do without loading the page.
- Expand any shortener and follow the redirect chain. A
bit.lyort.colink hides its real target, so expand it with the short URL expander and trace every hop with the redirect checker. The final destination is what you actually need to analyze. - Identify the true registrable domain. Apply the right-to-left rule to the final URL and ignore any brand name that appears in a subdomain or path.
- Check domain age & reputation, and the hosting IP. Brand-new domains and bad hosts are strong signals. Run the domain through the domain reputation check and look up the server with the IP reputation check.
- Check for look-alike and homoglyph tricks. Characters like
paypa1.com(digit one for the letter L) or Cyrillic look-alikes are built to fool the eye. The typosquatting detector compares the domain against known brands. - Run it through an automated analyzer. Finally, paste the link into the URL analyzer to test it against Google Safe Browsing, PhishTank, and threat-intelligence feeds in one pass — and to catch anything your manual read missed.
Steps 1–5 are the manual read; step 6 is the automated confirmation. Doing both is how you analyze a URL with confidence instead of guessing.
Signals a URL analyzer checks automatically
Running every check above by hand is thorough but slow. A URL analyzer performs the same inspection in seconds and evaluates signals you can’t see from the link text alone:
- Reputation feeds — Google Safe Browsing, PhishTank, and 17+ threat-intelligence lists of known-malicious domains.
- Domain age — freshly registered domains are disproportionately used for phishing and malware.
- SSL certificate — whether the certificate is valid, and what name it was actually issued to.
- Redirects — the full chain from a shortener or cloak to the real landing page.
- Page content & credential forms — login boxes, password fields, and brand impersonation on the destination page.
- TLD risk — abuse-prone endings like
.top,.xyz, or.zipthat scams cluster on.
For a deeper look at who owns a domain, when it was registered, and how it is hosted, the domain intelligence tool adds registrar, DNS, and hosting context on top of the verdict.
Test a URL safely (without visiting it)
The whole point of analyzing a link this way is that you never have to open it. A scanner fetches and evaluates the page on your behalf, in its own environment, so the destination loads in the analyzer — not in your browser. That means you can test a suspicious URL, read its content and redirects, and get a verdict without ever exposing your device to a drive-by download or a credential-harvesting form.
Frequently asked questions
How do I analyze a URL?
Break the URL into its parts (scheme, subdomain, registrable domain, path, query) and test each signal instead of trusting how the link looks. Expand any shortener, follow the redirect chain, identify the true registrable domain, and check its age, reputation, and hosting. The fastest way is to paste the link into the URL analyzer at urlscans.com/url-scanner, which runs all of these checks for you and returns a verdict in seconds.
What does a URL analyzer check?
A URL analyzer checks reputation feeds (Google Safe Browsing, PhishTank, and threat-intelligence lists), the age of the domain, the SSL certificate, the full redirect chain, the page content and any credential forms, and the risk level of the TLD. URLScans combines these signals into a single Safe / Suspicious / Malicious verdict and explains why the link was flagged.
How can I test a URL safely?
Never open a suspicious link to test it. A URL analyzer fetches and evaluates the destination on your behalf, so the page loads in the scanner's sandbox — not your browser. Paste the link at urlscans.com/url-scanner and you get the analysis without ever exposing your device to a drive-by download or a credential-harvesting page.
How do I find the real domain in a URL?
Read the hostname from right to left. The registrable domain is the label immediately before the first single slash, together with its TLD — for example, in paypal.login.attacker.top/verify the real owner is attacker.top, not paypal. Everything to the left (paypal.login) is just a subdomain the attacker controls. A URL analyzer isolates the registrable domain for you so you cannot be fooled by a brand name in a subdomain.
What is URL analysis?
URL analysis is the process of inspecting a link's structure and testing its signals — domain, redirects, reputation, hosting, and page content — to decide whether it is safe before you visit it. You can automate the whole process with the URL analyzer at urlscans.com/url-scanner, and a free API key (1,000 scans/month, no credit card) at urlscans.com/register lets you run URL analysis from your own scripts and tools.
Analyze any URL in seconds
Break down a link, find its real owner, and test every signal — free and unlimited, no account required.
Analyze a URL now